When you use the app's built-in back-up mechanism — let's say to prevent losing messages after uninstalling/reinstalling the app or moving them to a new device — WhatsApp is allegedly using the same encryption code to protect you and everyone else (instead of creating a unique key for each user).

This means the back up is going to a database with insecure storage and the chats could potentially be read and stolen by another app. In theory, the developer behind another app could decrypt and ultimately gain access to those messages.

Bosschert notes on his website that the WhatsApp database is saved on your phone's SD card, which can be read by any Android app if a user gives it access to do so. This is a common practice in the app space (apps that want to store non-secure data would be interested), so if an app asks for SD card access many, in theory, would grant it.